SECURITY LAB 2
MAN IN THE MIDDLE ATTACK
Objectives


To understand ARP Poisoning, and how it forms MITM.
To understand DNS poisoning, and how it uses in the
MITM.
Overview

Suppose that Alice, a high school student, is in danger of
receiving a poor grade in math. Her teacher, Bob, mails a
letter to Alice’s parents requesting a conference. However,
Alice waits for the mail and removes the original letter from
the mail box before her parents come home. She then
replaces it with a counterfeit letter from Bob that
compliments her for her math work. She also forges her
parent’s signature on the original letter to decline a
conference and then mails it back to Bob. The parents read
the fake letter and compliment Alice on her hard work, while
Bob wonders why her parents do not want a conference.
Alice has conducted a Man-In-The-Middle attack by
intercepting legitimate communication and forging a
fictitious response to the sender.
Definition of MITM



Man-in-the-middle(MITM) attacks occur when the
attacker manages to position themselves between
the legitimate parties to a conversation.
The attacker spoofs the opposite legitimate party
so that all parties believe they are actually talking
to the expected other, legitimate parties.
A MITM attack allows the attacker to eavesdrop on
the conversation between the parties, or to actively
intervene in the conversation to achieve some
illegitimate end.
Where MITM common?


MITM attacks are relatively uncommon in the wired
Internet, since there are very few places where an
attacker can insert itself between two
communicating terminals and remain undetected.
For wireless links, however, the situation is quite
different. Unless proper security is maintained on
wireless last hop links, it can be fairly easy for an
attacker to insert itself, depending on the nature of
the wireless link layer protocol.
MITM Attack
Man-in-the-middle attack types



Man-in-the-middle attacks can be active or passive.
In a passive attack: the attacker captures the data
that is being transmitted, records it, and then sends it
on to the original recipient without his presence being
detected.
In an active attack: the contents are intercepted and
altered before they are sent on to the recipient.
The purpose of Man-In-The-Middle Attacks
Man-in-the-middle attacks have a variety of applications, including:
 Web spoofing: This is an attack in which the assailant arranges his
Web server between his victim’s Web browser and a legitimate
server. In this case, the attacker can monitor and record the victim’s
online activity, as well as modify the content being viewed by the
victim.
 TCP session hijacking: By arranging for traffic between two hosts
to pass though his machine, an attacker can actually take over the
role of one of them and assume full control of the TCP session. For
example, by monitoring a victim’s communications with an FTP
server, the attacker can wait for the victim to authenticate and then
hijack the TCP session and take over the user’s access to the FTP
server.
The purpose of Man-In-The-Middle Attacks


Information theft: The attacker can passively
record data communications in order to gather
sensitive information that might be passing between
two hosts. This information could include anything
from industrial secrets to username and password
information.
Many other attacks, including denial-of-service
attacks, corruption of transmitted data, or traffic
analysis to gain information about the victim’s
network.
Conducting man-in-the-middle attacks
Man-in-the-middle attacks can be accomplished using
a variety of methods.
In fact, any person who has access to network packets
as they travel between two hosts can accomplish
these attacks:
 ARP poisoning: Using Hunt, a freely available tool
that uses ARP poisoning, an attacker can monitor
and then hijack a TCP session. This requires that the
attacker be on the same Ethernet segment as either
the victim or the host with which it is communicating.
Conducting man-in-the-middle attacks


ICMP redirects: Using ICMP redirect packets, an
attacker could instruct a router to forward packets
destined for the victim through the attacker’s own
machine. The attacker can then monitor or modify
the packets before they are sent to their
destination.
DNS poisoning: An attacker redirects victim traffic
by compromising the victim’s DNS cache with
incorrect hostname-to-IP address mappings.
Countermeasures

To protect against man-in-the-middle attacks, routers
should be configured to ignore ICMP redirect packets.
Countermeasures for ARP and DNS poisoning will be
examined in the following discussion of spoofing
techniques.
ARP poisoning

ARP (Address Resolution Protocol) poisoning is a
technique used to corrupt a host’s ARP table,
allowing the hacker to redirect traffic to the
attacking machine. The attack can only be carried
out when the attacker is connected to the same local
network as the target machines.
ARP poisoning operation









ARP operates by sending out ARP request packets.
An ARP request broadcasts the question, “Whose IP address is x.x.x.x?” to
all computers on the LAN, even on a switched network.
Each computer examines the ARP request and checks if it is currently
assigned the specified IP.
The machine with the specified IP address returns an ARP reply containing its
MAC address.
To minimize the number of ARP packets being broadcast, operating systems
keep a cache of ARP replies.
When a computer receives an ARP reply, it will update its ARP cache with
the new IP/MAC association.
ARP cache poisoning occurs when an attacker sends forged ARP replies.
In this case, a target computer could be convinced to send frames to the
attacker’s PC instead of the trusted host.
When done properly, the trusted host will have no idea this redirection took
place.
Example for ARP poisoning operation





First, the attacker would say that the router's IP
address is mapped to his MAC address.
Second, the victim now attempts to connect to an
address outside the subnet.
The victim has an ARP mapping showing that the
router's IP is mapped to the hacker's MAC.
therefore, the physical packets are forwarded
through the switch and to the hacker.
Finally, the hacker forwards the traffic onto the
router.
The ARP poisoning process
ARP poisoning




After this setup is in place, the hacker is able to pull
off many types of man-in-the-middle attacks.
This includes passing on the packets to their true
destination, scanning them for useful information, or
recording the packets for a session replay later.
IP forwarding is a critical step in this process. Without
it, the attack will turn into DoS.
IP forwarding can be configured as shown in Table 1.
IP Forwarding Configuration
Table 1. IP Forwarding Configuration
Operating System
Linux
Command
Enter the following command to edit
/proc: 1=Enabled, 0=Disabled
Windows 2000, XP, and 2003
Edit the following value in the registry:
1=Enabled, 0=Disabled
Syntax
echo 1 >/proc/sys/net/
ipv4/ip_forward
IPEnableRouter
Location:
HKLM\SYSTEM\
CurrentControlSet\
Services\Tcpip\
Parameters
Data type: REG_DWORD
Valid range: 0-1
Default value: 0
Present by default: Yes
tools for performing ARP spoofing attacks
There are many tools for performing ARP spoofing
attacks for both Windows and Linux. A few are
introduced here:
 Arpspoof Part of the Dsniff package of tools
written by Dug Song.
Arp spoof redirects packets from a target system on
the LAN intended for another host on the LAN by
forging ARP replies.
tools for performing ARP spoofing attacks







Ettercap One of the most feared ARP poisoning tools because
Ettercap can be used for ARP poisoning, for passive sniffing, as a
protocol decoder, and as a packet grabber.
It is menu driven and fairly simple to use.
As an example, ettercapNzs will start ettercap in command-line
mode (-N), not perform an ARP storm for host detection (-z), and
passively sniff for IP traffic (-s).
This will output packets to the console in a format similar to
Windump or Tcpdump.
Ettercap exits when you type q.
Ettercap can even be used to capture usernames and passwords by
using the C switch.
Other common switches include: N is Non-interactive mode, z starts in
silent mode to avoid ARP storms, and a is used for ARP sniffing on
switched networks.
Countermeasures


To stop ARP poisoning, use network switches that
have MAC binding features.
Switches with MAC binding store the first MAC
address that appears on a port and do not allow
the mapping to be changed without authentication.
DNS poisoning



DNS spoofing manipulates the DNS server to redirect
users to an attacker’s server.
The DNS server resolves Internet domain names
(www.google.com) to IP addresses(74.125.230.144),
taking the burden off the user to remember a series
of numbers.
DNS spoofing can alter the cache so that
www.google.com, which normally translates to an IP
address of 74.125.230.144, is redirected to
72.30.2.43 (yahoo.com).
Ways of DNS Spoofing
DNS spoofing is accomplished in one of three ways:
 The attacker compromises the victim organization’s Web
server and changes a hostname-to-IP address mapping.
When users request the hostname, they redirected to
the hacker’s server, rather than the authentic one.
 Using IP spoofing techniques, the attacker’s DNS server
instead of the legitimate DNS server answers lookup
requests from users. Again, the hacker can direct user
lookups to the server of his or her choice instead of to
the authentic server (also called DNS hijacking).
Ways of DNS Spoofing


When the victim organization’s DNS server requests
lookups from authoritative servers, the attacker
“poisons” the DNS server’s cache of hostname-to-IP
address mappings by sending false replies. The
organization’s DNS server stores the invalid hostnameto-IP address mapping and serves it to clients when
they request a resolution.
All three attacks can cause serious security problems,
such as redirecting clients to wrong Internet sites or
routing e-mail to non-authorized mail servers.
Countermeasures




To prevent DNS spoofing:
Ensure that your DNS software is the latest version,
with the most recent security patches installed.
Enable auditing on all DNS servers.
Secure the DNS cache against pollution.